Windows Zero-Day Used with Chrome Flaw in Targeted Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Windows Zero-Day Used with Chrome Flaw in Targeted Attacks


Googles Project Zero has disclosed a Windows kernel zero-day vulnerability being used with a known Chrome bug in targeted attacks.



Researchers with Googles Project Zero have disclosed a vulnerability in the Windows kernel being exploited in the wild with a known, patched Google Chrome flaw in targeted attacks.
CVE-2020-17087 exists in the Windows Kernel Cryptography Driver and constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape), researchers explain in a Chromium entry. 
Source code for a proof-of-concept program was tested on an updated build of Windows 10; however, the flaw is believed to be present as early as Windows 7.
The vulnerability is being used along with CVE-2020-15999, a heap buffer overflow vulnerability that exists in Chromes implementation of FreeType, a common font rendering library. Project Zero
disclosed this flaw
with a patch in late October, warning it was being exploited in the wild.
Project Zero typically discloses flaws after 90 days or when a fix is available. In this case, they disclosed seven days after notifying Microsoft because its being exploited in the wild. The team expects a patch for CVE-2020-17087 will be issued on Nov. 10, the same day as Microsofts monthly Patch Tuesday rollout.
In a series of tweets, Project Zero technical lead Ben Hawkes
wrote
a few comments defending the release: We think theres defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonably unlikely. So far the bug has been used as part of an exploit chain, and the entry point has been fixed.
Shane Huntley, director of Googles Threat Analysis Group (TAG), has confirmed this is targeted exploitation and not linked to any US election-related targeting. So far, no other details about the active attacks have been released.
Read more information
here
and the Project Zero
post
for technical details.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Windows Zero-Day Used with Chrome Flaw in Targeted Attacks